From 107def2e6527f605f1108829dd850fa46bc65b62 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Wed, 9 Aug 2023 16:16:49 +0000
Subject: [PATCH] Bug 66425: Avoid a StackOverflowException found via oss-fuzz

We try to avoid causing StackOverflow, but it was possible
to trigger one here with a specially crafted input-file.

This puts a limit on the number of nested children in place
and logs a warning when the Stream is not fully parsed.

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61256

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911577 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hdgf/streams/PointerContainingStream.java |  25 +++++++++++++++---
 ...nimized-POIHDGFFuzzer-5947849161179136.vsd | Bin 0 -> 12310 bytes
 test-data/spreadsheet/stress.xls              | Bin 63488 -> 64000 bytes
 3 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java
index 3f3192f9fc..c4a91ad969 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java
@@ -17,6 +17,8 @@
 
 package org.apache.poi.hdgf.streams;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.poi.hdgf.chunks.ChunkFactory;
 import org.apache.poi.hdgf.pointers.Pointer;
 import org.apache.poi.hdgf.pointers.PointerFactory;
@@ -26,11 +28,15 @@ import org.apache.poi.hdgf.pointers.PointerFactory;
  *  other data too.
  */
 public class PointerContainingStream extends Stream { // TODO - instantiable superclass
-    private Pointer[] childPointers;
+    private static final Logger LOG = LogManager.getLogger(PointerContainingStream.class);
+
+    private static final int MAX_CHILDREN_NESTING = 1000;
+
+    private final Pointer[] childPointers;
     private Stream[] childStreams;
 
-    private ChunkFactory chunkFactory;
-    private PointerFactory pointerFactory;
+    private final ChunkFactory chunkFactory;
+    private final PointerFactory pointerFactory;
 
     protected PointerContainingStream(Pointer pointer, StreamStore store, ChunkFactory chunkFactory, PointerFactory pointerFactory) {
         super(pointer, store);
@@ -58,6 +64,17 @@ public class PointerContainingStream extends Stream { // TODO - instantiable sup
      *  those if appropriate.
      */
     public void findChildren(byte[] documentData) {
+        findChildren(documentData, 0);
+    }
+
+    private void findChildren(byte[] documentData, int nesting) {
+        if (nesting > MAX_CHILDREN_NESTING) {
+            LOG.warn("Encountered too deep nesting, cannot fully process stream " +
+                    " with more than " + MAX_CHILDREN_NESTING + " nested children." +
+                    " Some data could not be parsed.");
+            return;
+        }
+
         // For each pointer, generate the Stream it points to
         childStreams = new Stream[childPointers.length];
         for(int i=0; i<childPointers.length; i++) {
@@ -74,7 +91,7 @@ public class PointerContainingStream extends Stream { // TODO - instantiable sup
             if(childStreams[i] instanceof PointerContainingStream) {
                 PointerContainingStream child =
                     (PointerContainingStream)childStreams[i];
-                child.findChildren(documentData);
+                child.findChildren(documentData, nesting + 1);
             }
         }
     }
diff --git a/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd b/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd
new file mode 100644
index 0000000000000000000000000000000000000000..801fd683420c223797668b1fda8f7e64da5ed234
GIT binary patch
literal 12310
zcmeHt2UJtr*6v(;?<7=rC;}pw4cG+<MJz{2C{k>of{F(XEfgui00(;z!LC@bq1gKo
zdpVY1mviLAu1E0%6bnR601;G@{jcb`<G<sM``-QU`^R{1{A0Y8F?U&6d#}0ITC;p}
zt~)BL+8xIn>);=XKagNxO@aG&^$1@Z>099gSmO)hy@6%f@09@f@_%;e_@B-GzstQI
zKVXk1kHkb_;$Sk)IS-QwCR0pin9MO*V6w#22@{P8F9EQ^WSoB^+2ZTYnC$+p?%(C-
z|F{3YI|AcChJU%hz;MXIXF1Hov-e*wc6i17jbj2oX6<M^0#trGLdf^i_hVePoonq-
zC9=V{1;z!2%LGV+9859@#*_$okO|UnoP7WPUmcx*K*s)!Yu9-GSM81e8##0ld~eBt
z@!$H)g!pgY9*+A?#+=A8AMtoRjGSeCZ~9M<y>b6W9cYxF|7!on7iAj-4HwQoeD@Fk
zCO?Dz`hH{I#`68G|NEm+J~#fQ$S0)bq{*1xQKS1X!SeY0w5$|MqqyV3`94NP2y9^-
z96sI+J#YpX{nvBvlNv$f(9n##TmbB+X13+4j)&TtU`at^lO0uHhgVb=C}5$ovJzgu
ze$7I4bv2wgaY755H*a=<0!U_)lVSAe(cq)-@c~Ci$M4;K(?Z5e3Rnj`r10n?Oc&O$
zCUo7GkI+S<Q==%Xk~F#`PyiDkPm9m!0~e78w;sTC2#5IMLD>3`)=_DhQZ|PfBh6>V
z$tGsTXY~QngXrW#D2Q<r@mD4-0x|~%L}_#ZZ(Ht&npukbw6TeK+Y%#o#QLub@&GTa
z<5<UUEcAkNwl%Cq*9%5ybjUM`0tSD&lUeQ8HVRTTIs&t#xlO!nK_iT6Q%OJq0z(9#
z=J6CU9%*#K*|ta6(7IVgB0yrN*R4T#(R7N0Y1|296-?n30h!00fT)CMBAVcoQruFC
zSBkb5pnGJ5*#?scAWJEV8c&@kM6X-T1WtDMP!Wo9vfF`>pCjStNc!2Ee6jq(79bcy
zZXnn5Hjt66_;8-yK$?_NrlnN0St(^+N?DXrmiVSqDMgo3{8GxQl-grmO4<A*Sjp!_
zLi`~x1TiSojR<uk4~Du?p>CW|H*TmKPZ!GE6V%%%y7dG-8@AW2uxkX0+hAMSov7@7
zk*sv_C-m$uz4ozCO6-EEL=g+4iQVuHZD+w3ErM&XkcFjC3@)(Ne;~FhyNR^<;E(2J
zt2_9;Kp5TMd%<<lO8y$bZb2z30?u%kw=KF=#8sjQcpiRj23R)``x+^*WLhMCZ1<~A
zPJ#n|LT8@~-YrVu3BR6pLcxPT!F~?C3tTSvifjsZAnKZ5oVQ(QC7zu1mlk=KK{}Ab
z2&dSi9=8coSiH#F$`U5rgD9f21t}7f>W*S!Ft<kKH;SH0XX9m_XAwSNxy>VLl=lG<
z8&SZ?elF6ACJRn>T?CVmaBB$1kAhn(gtk7B;titZlJlaY6CRUS3GfSAA8HAN6`;%r
z#TW#GxkJ#lh@%l#A|6D%9z89lm`sTrAre28%n=x3R&|)moMl*4yq#`ZPQM>_SaeTT
zpWMH5eR5R4afWGxVH#;jS;X@VC7{R>77NpZi3PH2#StR7a7cDhmVzR>3f`WaKPFvH
z7ZF?X_897u%3eyV6lJZMWtH4ntvOxtT622kwPr5@k5Or<hrxP)Z&y)$(&Y;Syz;$9
zFHA-YefmIt6>yA}+_l8|IU0zKJw05^K%O&C*llKk0Ngr5ba$Sxhb7Q6lhI2_(R!H(
zVi(yzp+}{p@z9;!`LBZ(&CnAR$B%&MF_yqs0oj=#e=Z?jwv&Uom5gfOU{RmsdRgSA
z@<)`O@Xn9&S~#@W(JX9%eDj*i(F@<MUpT!`PNXdKTH#kH=~1y)a(hVs;Y9T$mx1Ns
z<v*5ZmMh9Pm&2nYXS<)WuG}<B;#o1MVnhXTMH1>&u*&B_`RmP!yp}D5>HZNj3vw$K
zR&1;|SaG2O9#_;>G*{dzmn(~urAmGUBT)8M4pC03xD)MGp}eew`^s0!Hl?*{SNW-O
zk!mIvCaVgjpMsVxk#~wz<*NNElV4P~RkvfhYgBp_t#(m^k9v%{tI9()TfIVEu0Ey~
zUseC9exv@ZHrJ{q^ysC9!P=49DO#C!sdlY)kCs$|BkRTvU`HyaC~s>2&}y`xuh)lZ
zbSBt&5(0|=Yu%h|87s?xut+8ttF81A(p+YcH!BQc#!KaCMnx7WPs_@cD&#OKGRkX6
z4StFZ`KFpkC}uP|QmgA|sbSljQZHczg|*S!H?6e_ZQED<JX+kB$F92hvT4T9OCrNi
zjxxloIB-W~e(&9)F<c5vJ~h2drf1NA8k;%+(YFuJuo}>MGh!%r8`6`*xdsy;xC!U+
zT1UJDP!T4x6HHWuX#xY=Py;mvx8l6#!5Y{~Edw=3mq9mVd*sbW3c?zi7x1jj?t^R%
zuAA}Zqn;hE*Xhu52)0^ESgipz&NL)LmY<k<CSIPaB2e5TlF%fuDuR4SQ3+_Nir~z%
z<vyey@Dw(tj`OVc^Q^NWudbn)Y0&}PHyR(T6ILxQVYP+rEAvfgB7X+EY%#T{y*+>V
zSKxF<^ir0qE9gfLqa)~eI)^T%S5h4R6~uBN^V?17vmC`@)Lz1(cKt++E-E!Ghsj}Q
zW+uoo7`c?qmP>P_S-CkZ6Q4DcNl(jSlNebtlP#CAiPD@LY(y9~IWH?QH%*qs_6H_d
zmY0yhN<9)Y(h}1dHdn^PCnez*<|TM!$EQg9W0k^&eVa2=c<74fU!!9U%@o8^=*4FQ
zrkx?x2C4Df)uOj8A%D#tD{{AFwW5$;V*79SP4nu7FGn51xhIO8YHo)8aH1d2Fdg=w
zJTt<dI}eeeTmx$j1eHg`F(2Nx)QUL!5hsr{RG5C7M1X_05$`T#a+fl_i=1RY5>#hE
zR1;dy;{fr6AiuzSARU_sjtSzSHo}3=;kWmoEKRC`C>SL+C;)4JJ!=T!e=#!;DuB2j
zf@In3OnF*LYA(~84eG;q4IVs@VZVD7K{8gJEtALN0b;ZIGfY5624je`&cTD5Bb6(D
zk|y;BgM%Ee1OE8b_-tu^HZ>#L#m#GwaFNdd7{(Xz?a&rJsuNaNr*hLc)nJ)`e!Wk0
zx=Yb_u}$3#>?X7imY`jru){V(4_i2(=D>B7(Tt+u5IFs6&yz!Zg;fZ)xZQgqu#m&g
za2G~$41*Y?1d*#5#Wy2d%qB9V1AhWj$Qceqe@_(P?oa>Z8Rk;p(!JN6&7R^uXZv;H
znae?r9!+E_4IK;uFI0JC7=IZ&uo3RJ5zaYcBaDQl*|3BI+};)Z>4-t5FFvPHd<K<$
zX?oj2!88tp4@=)oGU3Cf_Y*Sc$(xVjH5c9Q?O>__?xF*D7LIb2z;SUAS?n0_GaMG3
zzBEuRTJ4A60QRcu1`-#9)qomoA}zPOWOE|y1C)4#Ho=-m@vDSLv3I1HLRTR3(icG3
zJK;Y!P=}xjJ0>pB32TRSAzmE>hvJ{^48;L??Hb)t%HKxMcCbW88s`o}#8E-A9BnQb
zd?#AD56@zArE(@WRm$iSZ;6@soE%vqn--rdO=9xXzUHPr5o1BgmY2(nVo=Jj297#`
z0E0~##F?wRyScf!^CSBU$6ex|mgDXw?;hQ8D*QSBN`Ogl-Ygq1JnTKuin$+}6duLM
zE+#hx<>X4U4PmF(QT*b7%pQ`CP}?40Ww;VxI!>A+%ab4ZA_ha?M5`h9L$luGWhOil
zr$=T>Wo_9R(iQyad1>-TjpAHcjX3jBWUh2-Q&4VvPI@Un>$C0(g9;9e*cW0=nnpq#
zYu+PLF3Xn6HMwc0#txcjB^)oEoBJdvFDF-)`6-~IZ_>2!QYJ^5A(bXJ1mtYDzE2Qw
z_h4QJLnbhsg2JJE=L3_yARqJz4b8RRG%KrCRvN|f)w6q|j~_*6^)1R#?5f|0LGRQ`
zA*)B*IOFe&B2RZFMctiArS4Oc(ub_{<$P>uQwDQ160C5)DYCH!Z8L?X3OmvyLLAzj
z?nD1TkESKGf2Qdo7SSbz^g7zG8J4oBttcPqHyi^+F<S(L)^t-5oI!{#Qn09e0ZZtv
z67v^V(`vejCcE7-IZrKfsDe%OF#E;q+_M^8U+@5;q4~^L;TWuYSgduvwCYd|i(OW1
zOm0B%`EKYJ&SQW!jn1tPINelqL&vZ;JVB$=oAm+POWhEU*9MRrN(4jAr+v;Sb3E9h
zuzo;kZ*@ai<KY?!8tB&tawEXo99kgMjvh>Wyw?qJW-fs2#aLY%!PhC@hGwe1%|-mS
zrRNbq1duH{&YO?s>EPN09Lxdxm`-(H5QrfV*eFgnl!rqP$hAh-#i@pU+3xW7e?Q=M
zLr08%o7Ct&&#GaK&vBp|i*Z!0!5KAZapYp5PFDrN*b`-)k<0?V0#~CGVNkQXqRkm?
z=m+*1U9i6oxVJl_(?3vSX-NDFof&b+--;1o8Vd!ANUX{Wh+$gYhuW_QIyW?TunjC*
zL<ArVTJ-GeR-N+v^Q<%Mv-f=Qjf7*9O5E+N#H|LbZ4oNLPOPaP9bh7(2`xASwgLt=
zR|Hq#1R_Qf8|XU+=<{?nJ&RkAOa~2NW54Or*zwps$TM1+95(j5(Tr#1xv_!qIcbS{
zhPGqAX;5`e|DSSlj1xUz<p93zd<aBrXQRn^Yz0lh8l6tp!2)KE#oT>kPJy{IGG|~v
zyl%CE5To<JSq9jnptQPCWM3Mzcr?EwoSSeMBOHIMd0oVYSyWGPh|#Oi8r_QJMz2C)
zbStn|v5mVk4EPi1>vUt2(W&SM#7v%{4$uPb2h>0;$47F#(XEhRzXHI)isx+GW|BY&
ztW6X6aPI@6w&5n6VfMgyF)rLm0vE1{$t-FH_iU=*Dba-w35>uRZ9ib8M=o45>vN9O
zIY$n4&c2JaiNLm*Uk7vTKcLR0sIS>MNAq*`C4vDxY;>Y9k72zd@0!=4bB<M*&UV(B
z+HC1%26HhCL|FS;58;Pmvl)UC$>T2M8P~0xiwriMSNqff_iaW`rfWAFQ)esK0tzKM
zgB_hU;ZRP(7DDz6ve1nFM(@Vx+|<AzuP;vts~7Oixlv;820J&0Y~qe|vmp{#fi>xD
zOD#)40&9-k*GZ7$WBNtzwLcuQkPXt@7x-PdZ$9!MRHHlRx|@I2%Mnb^cw1LsmprV>
z+d}2-*bmGe`&z2JU2EZvS6g48Ro>pP0QLmxg+uhh4zIp?q3c1t&`~e6)(g$_LTb!)
z;RvX57G@#4U+GzIKBj~N5oHA@=qXk`#5iyvgFuaLA|JTVfcFASoQ2V*;b4{m7SqL+
zr-ad+cJt}$LjH51RkiTo123CbLfcyC+$ywN6CpnN3{nFuHM(m(JMN8#lP~aH*Ylw|
zQA!7kYKg}ohLg@hohqU(qN`V1uy}OOwIx+a-siXzdQ4~%b0{ZCf62+|;$X=H$thvF
zByz4~X26+<ssPi~Q>u1OajDV;oM7%tUP;W`C1$euCm#wKnYZkf@SNmUV5jbxvYSD4
zYXnbnGD5saHhDaRopp&aIWL6k!qvQI#0btEbCYM->ed(r^?3PBTdP@-_`AB+-V=#y
zo#a}P`1&tB<S+W=xn%q0+!KAtaJPK{xkMZf+L%Z8rcJ*h;uywAvQaK6osONU?3`#K
zG3UWF`MvBMGCybdr%{A9JNvUobte-q;UDO_FjR<yKFnlL?1NvR2o6{YKR9_+L57=G
zG{Atx4|u%Eo(SCY`6ac!`3?mGdk!ku*ku_^YD_B#PAd?m6*$4tgQtW`!hzeA-Fu&}
zd+i^bx-TAietDxf2&O}?;A!ZGeqnjT7>_xBE_TU|s&Dh3`=SCiMHg&ZQSf*ZI5@AO
z!XXM)Wab4#p@@iQkTkqgur$C~h{6K`#;SybdYUc=>12draQBmwf1W@eddL;KDF!G)
z6)|%;BU{&KvK57jb&9=;vkLfCQKR^vfRdgiWfguUVI>8VOEOC4m1Mx$l07A(2m&sa
zs7mTeT1q(O_T_!be<+91<&urDtLl<x1<Wd6UT*zU;BTd8kCk67e^~zG43n;V3S=|p
zRhk}|cf)P}yviI>$2USap;z1i$gEIQ)K$Q)ic=LgE5@od75a(=%c;vwu1a4e%aY;B
zAC;L(EP1PyyOgJtH<f=VB^$R3iO**#j>=xOwfqOwXq7|-)2myztx@e(omSmaJypF^
zfkDMryQ+QFceIn#)6{d+wJX(&7p<y0qOMdMLxvCk!fno4Pi=s9yw+B#m2BjwQ%x6$
z*JyWZ1FaPos<h9v@3lY9FilawdMnc-rF>^hzCz!MsVro(h3q<ZFME~^^whB**h-+S
z>F%_X)ew3V&9aE|9dm4;zpHe{XqP1$<zg!buCu^X0H?IM0;wQhu*A7_+d;tv0sJng
z6*LPdPdm@vo<lrGdBR&!wr8Q|I?uhHXM64Uy5ZUBi6_f)-+Qv2Rw6f%cz`HWG*6T+
znky>t3vGxGiXzV@bUSuL1XA+4-{+xgiuP{cEVvveWF6eZ;-gs8hc3Hrc4U3KFemYg
zYyLQkQJq!`_m&#=#G$n0d&lDmdGhgia(1%8H6KHRo^e<$zKmOh4fLCYwAGDqEeW9b
z3tbEfJNP_~tV`g$Ng&@OpvIO2vLykraadypb7t;|<64AF8<Q?J%@1p}*fPy>P;hUt
z0cm#wjrIl*;2DIZ6#<IKLBYJZFfw5)aX@Yc3r@*bd0F!hiO;(2_i9QEz3kOT_D*qR
zv<$?B8SxfBuR0<6BV*u}YKQ5mw_X+$rrml~DzjR2JkhDRQbs=USXh&A#S2lfs}WJK
zsc?Q>W89uXgN!d<Tgd6VsgT@Mi1rkcdkVc35UiM>NL9>IELUvHZ$3uFAE1sYuKr}!
z^|<{3u|we@VdyU5Q@rpEiVF>=;mLrU<XWG?wAuk-CHph)ttaFq<jc~Ugq5r6<2vyh
z;|d~nZt`l3`*G*d623fqC#P@3PBLOA`f(@u<IegL@uw1#a>sJ_a{uye`J4l}2e^sl
zd1YPJ3LWi_n-L|eh;r|Z8<u(<eAbjWq_h57j5Mn6`Vo7^$*jcUOLgAOqJon_E@JD6
z^G}1+Vw6j;n9Z|@%QK6k>RIe?^YSd?^0u1)ev&M(s!lq-*RK7@_J=2{P8L{;4OaVC
z3vVB-I!fL-#x=c+3Z5K&c+~b<O2w9n^A***%p(7c3qD#Oms&|?T;W(xq?RfdUPl(Y
zj_*B@u<&~CT_$T!{hoO0hTQ>i#+Bz+)2~`_pH`+{eOZk%u9)6$xLKBWm3|7al^fT-
z>-0l(WcWHHMcT0te;yfhktiNw?h+<b?^sKuJ0X2vC38IS_}<7h%304NnpQqrcIxO-
zpU5FY#*#b4VPHO7IZ^4Grks62J<3`jE>rJT!fE9#<x}N5r9sJ8x!z2@%)Gc$ALp);
zU;h0C$6pnx5?1d@ecW5yy%m8D*Adk(xxc><HPzh>WgA|Ge-1$0yV>kcmD{I_D)L|(
zc&mfe6V$2dS?cBLZR(?H+bik^&n!w-QRUuW?#jnkzKQ?xe9!zLonObzzOXo$bzL3S
zoe_)Axz>4GyBDuIsv-&ZMHa(R0dN2OQ^yl;aC+}jaSE2e`O4JG1#nmUvVNGgR(tqh
zQvqUcANpk=fr0X4v4PqlR__TUfb;3+kjR)MUR+bNzWFO_Vo3|kg7_%WzBl@v_dx&?
zcxIlz)BQcg9<iw2eyV4!XW=_f&%FX*OqW5&!5)#<dPFYo5gB#=5%)g$ZfKr2wu^q!
z_*@o)>O=;I7#_L%K-%o6p$E4Be|0a<$W+@GyLglQ<N?IU1agzO&nw-Y`Cc1@0haUW
zwe%i(_63^-pD;##NWY;!)8=;71Dpi?9fAY}62WxA0zvZCMMBxNm4O^;gW!NQR0u8$
z?hCGaKK6tL&#s;xo+8h&o?ASFC5t>ERbnQ&=-FR#RMO(f5!w6Ab=)2nJTogkQz&8r
zMNy(;(cPVM2X=a?ZdG^iw6iZPxmuS!$O&qMUfLjSv^GUMQ@c#NRm)Up-BjTbpS80i
zh>|$jH8>-mee0p@Zr*lPO2OT{6D%Ux{HK@C$a^n1ouj?drv$in&&Z<|_%5o<nY{E4
z`+|j!>~E6ilD_m%S|*93A3VEEFBWYU9Ts(Y_sDN#&+@g{=jif$(44iVe60vYSaj|a
zPRuU#ikPK<=!levor+~*k5#g3zB{)@Kt;smi2D&gW1H3>89!l8DQv08mnbU|B`+(K
zl1-8W72<x%^%W7y770hjAJ(<EOgtpsCn;DqL6$0;CBsgfu{@7$Xzl{&b*qc`3kEn?
zlj7_U#bQ623p_AkarD~^=Ta?M9KfM*64i>unRFYRW$CQMsZ)D!Xwf+yX=pZwQ32p!
z2^ehr9UAh*h-G{i40p!W=)8Jk=teg*cmJ!waKLb>JBCXaj1A0cbowzb+YtsV7y{gc
zsCEIW!<|9~MnqM>219rJuF+jEp8E!eCV(XBt25eTZ-he+g9VW51~+<P)WaHcMaIY^
zEBz}n$$I}4nZz~UBa>e-uGUe0<T_vpJYxks1Ru3JoTL%pL2*YsJOurKAqUeV=|A-Z
zgUEEs*AypREcW8G4sDESo}{1A?`f9SSqa<(Q|VMry~QU}fsuP+rkPam;xo@3xliV+
zZ({)2)k%lrpOHAI=HZ1SQruRZ5fU+DSeZOCJ_E){SpqQF$Ki>&IW&Po8@V{t$_D3s
z3q@tM!Ayb%V`!nn9$IxjrR79s#N&`&CJy$E&uyETAsuEBEX~f<rw${>$uQ{3dY>|i
zlrsLrsI;s$X_QQXf-<BSe#K`cN+*HOXW=Y*IT-_^WQc`{scE@VCgb-qybu-)Be#%a
zWTTT7<50#GoSTSwPO3xYX-P>koJiBh`xAi~vc&Z9_tR#r2D7d)!^nW2WYVlWsjUqR
zTu=V#X&(bHcs+^ZXj!>(Sw>Dk4jZ18otK*fKGoUDq%@~9|1xhxo+dLprE??)BC>*0
zaEPO|sWaK%XT8Hi-}Mdy);suVbmLQTy!czH3`carK`NIf0eoGBe(jtq%Vsh}(&Su#
zvgch|brNIVEa$Gnh3EWsaQo8bwS67Jz_^0&0p|gX#Q;Ws(2HsCVjg)h54@OL_~wEa
zbJUC3?ZvFYH$`5|PhQLvFD4w{4Dw=ndogxi4EK^3(+ECLUCdlMSj_A!W)>DRxy4M}
zh+<|`F(WEw_PX>fW?H)yGnT~+1+K<C%@lD%vk8z`iaxY_g`OXp5XL}GEJn=T0Bgtd
z;PU1pjwV<_Uq?%Da06f9WYm4(*07yuhW4gkePWH#gO4~mAlT#t;5`)BPI&3y<peAV
z#<bqz$0gm6DOJPT(DiLBV!P2nbTpkp&!m^pTj|9W^kpM}y+Jq9Z$7%Pcm-J-#g)aP
z+6haPDf?ZDfyZLGw!`9Uauv+`Q62)3ps~ps&M_Q*lvP&{Oys+a=)t#1v*yXH>)SZ3
zx^}T3tm{3F6aElq9Dku66NFLfM?#l29Veb|XK%7VU{No4XWI$>Q^No8<BYPt8;h%8
z8&1la4gIEg{&qNj4H@GSB-?EI5>h&vEa+}HmD!tJ_Cr98*}Xb(dG8(%pSBJnd^<hJ
zG3lml*0yi|<gERO_ixzYeEfyF$IfUF4u@-W_Miv`-xtnkIo1d!3#i~_u&#u10L3Gq
zjtWp24htn{bUktKDCy-yXJo*U0gcXaAGBUL4+5=j5>_4}7UJNrDu!%q(mS1jkN1Nh
z-xy&E(&(J?;iF#RjH+?;W~4^f+I>DGrGvxwuOLU^ohF~Kwqh1xP2!9Wbf@`ikjo+{
zN(c8Z0^2@kpy)A!d>d*0&p0oe4-eX$wdi>lID?<>YB&RoMKHKI;%L+gjn4ZFygMj3
zgpNx14O*QjA9kxdoY8Miwm9cC_t!JvM07(M1^?j*90$q=bPhJy?zi4$jX~E&n+y2D
z9Bs6@gU_Fua78`7Scfax@p+E1g@x-b>oQ_Grd`%TSD20uyR3KP7Gd~21@Sl9#JbM5
z+i7FD-fkAIvFfzmZY4g`>+N>p)02U?<!M)r9mk5wTW4;SLDi;pCgpY$dm@D9*wwkN
zvu1nkvafSJ?gVwNH=OERpJMueiEzgicJ6hqeKGlC8fUCX_MFk4K~PpWLmul-M5p4n
zy!c!@9crf!HVw1dZ^c2&>216z2xhsgblK@Lkn?l=>(>2NTLOwvbKp{cs<CN*`~~!h
z4SzIus$!EUggtzjYOa#~BGRK<lgpg9NqvWZKGqyvAGLf6|Ac)IQ5P&NCr-Qi5oD|D
zgVV0XfveJI9G(}|!;IY+WAf@3QOGN{WdW~x%4Pg2e)-NS+4{pGHl)e-uxRhEmkl3z
zjNj$Ehn<FKn?#6T6*FCMQakdef%o<;KjW}Xo0~W3b#v@cl&V6LVy`ww^OGK?c>29x
zP(N|C)4(8eE5p!0E;I4$@kZ`dw-?ir>gVst(-m_{*~}HkZd@0I++#0P<!;tq!96eC
zElGQ`u@d(zt}FG|WnSyRUU}KEOdIwOh5q@z<@*d)6MmYaf7=}E?tOE}AG7t3vdXS`
z%sewKysojRytI6TiLQA5qf~adtKe5r$i`jTNo%`ayu8Zi((tw^BhRjj^q6^U#v8Y<
z*Pr9J)*Og>(?9*#h5723&Ufs!*N(JnnqxOl|EyKJ-TX7F?9|ICyp4*mrm-U`Vk_js
zb;YdUO+vql6)KS;<kaV}<`HS@BH7kmZb`+LZexD;oHALo<=l;q?G^52yJGIW4U_0!
z?OWb>?OA5PBSX^^r<<zx{bsy0WR;EE+4u0;VefTjN+)F?X1D!5;rX>zs)B^{{kOO1
zN3Dyj*;{YnS~l!%*wLVUDT-Q1QqJ?(f`V0kT|+~5%u~nQx$$c6_+w2|MB#y-W>e1`
zt<2LDKbB7U@QBq`E8EpdZJ4fjTg=PPn^^Zpq7X?^{kpHW{qL{RYo9WM*{cslA<2Se
z*II(_)|B_#YBx35x$TYVhkeVV`Vkdv{od3!$G&Zin$^;C_U&WlX$HT7=L-f`g;eZN
z)z5d2))gO94_@IwysoZfFR<>e>yuB5LUPrOlyvW!ClKgTUO1v{#)SrzdzrF4=DE8S
zr{uCarmNDhI9++Kra88~JZ)*F?!)~@{G^kDFfms;wtThG<^Pz6-~5Sly~^LLfPFV{
zrzm9epnh$(JFKcJ=N_B+E`{^Q{=;hbGDA?fYTlyC6C*Q5Zob(Zs~kfe51sOA=<`#e
z!|6MIYggH6duu!7sk&kaZ?Lhv#NH8wWOUy(jbYt(i$Y4Shyqy?xF-sk!G2c#(ahT-
z)4G=}HmJh(_d7DNv_5L>di9}ay&9^TW9NKQnUgUIj(hn@AMymp0y+{e8`Hr%Oboi>
z1nx9@u4xr33Q^BlJmSNBcCRR8!`}WI)Ajn8qaUW&4vb&%d963=Ue@*fj-BS8Tc5b7
zV_v78FO+|kRQGx=eK+UEPQ&SoFB#JnGkc#~RmL7+2NnGi;6xW(K&@(pz$1TXBm5kv
zwr_1JS~8{9wr^WR<(fK>uf8#6w*H0J$4a^G0^4S|HTj9!P9U76HtbtI%xAn1r5~Nw
z96MUBovq#N#GS`aS~$DR@~v)5lYYoeS0=b|*cm%j%@-xJByLHZR>U&h(c&wc_O-Jj
z#{Tm0poPs{HKJ5rf$zismxO17b_5O#>?ar|Nae{N`M}kJ0m;Mb=g)F^x8#Pc*6hoW
zeTITg?J4YU>3i0SLjLTgeRim+=KiW<4;QL5jdP~9;!nRfLVLYslV!lx-SZc}Ih`6h
z6}86X>n67K<vbbi^PJ^x&n}AIx<Eotr<Zkqw`3DL^^cU;ekZW-KNI}6S<_`Z7N&(O
zPYQp(ehQCr=Uly9x$^TWjX=BA{=}9?Z5^^t^-;e(v8g+AMt`k2)|0hi_sr|?=JJyQ
zEW2zo8&h{G+B3y7xai%Ixw+d|w)f(VqL8H1Z2#fsL-vV6uBz__RGB}RDwIDe-<$T{
zb=wh7_p<KgzrEmG-P+2nkJ_Y;U%RbOi?`(iD|N=1t8SIUYGz)fPo!rjX0Glk@(_(I
z{=98g$?^pu+ovX*vXjk!^$)q7_`JkB_093=BKK842EqY3JwGqb@GKBT1R*_qoGe*e
zia5K!*7^HC^I81UoJMlolV_s${&QTI=)Cx2*<8QjW*`YMy6zfXGu}4U3kr?NAJcrz
zee9sH#?73o+2HrRF17dh1E)lg{v*Kok0p|ky;6z_Uwk%y(~9l6?Oi!im%w@Gqt!hE
zHx14oT+Biys{tl`(CPw>`>^T-(?uw54Zu+B?vs+>vtm>x14^T76GK0ZuBI#zJ=`vX
zQ8`5DGW4f>3wkGmPbQJ5xhYssCr2-~;GHdSm{iuklp{@fFqj$+a<0|O5xXCA)pmfp
z`;{Dh`h3g`4seTJ%TX)(<uz0jJgaD&tYDjUB(~XaTaxkKFtVw+6OOtyHbn|7YrlSK
zdfl3ew;^bB7klHZ21Ge%bo@wlM+}O=&<rOrh(MFpH8`2H7<+`#A?){*9xXN;;{CN*
zLNB`b*Jg<lV_HMSon!j4J@Q8FSDolJMlFjGFcVU+?{<i5@U%t)oYIJkTz?z#2G?M=
z1ZlYm6lB@p9TR)N--c4*e>h9Jl7~1vjczQSkQ9Oprw-URHl69w84uMGq9mHn7r$<;
z5qz*Sxoq;Gso_(DU;#&F4GA26zAf@}iLkNlIn_4Ey$2QK&I#%zvo*=LD`NKJu6z00
zm~L=43vxH_9@ML`>DCf##KRugnArZ!A^h*0|8s-pzq>W^d#|oWhx_l!zvktCy(RHq
cKl{&H{9X6|r45q*{4M|Iwf|50|L=7AAM2Y?4FCWD

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index e084a6c0b23cf7dee3c32553d4d9b553c520a715..b8bae8e3d9f5ea94773b646a26ca5e4e0c61a95d 100644
GIT binary patch
delta 643
zcmZqpz})bKc>@a*XB7hj!@vLk|5tD3WxCABSULGFv-~8M9M%Vo@40VIE@WwEs(QWo
z7t1kbPKKTLxNn}i$;dp}vC(`JXNSH7Ul~v{0~dp9MRICENoIataVvuWL*%*13oOD|
zpEENsq;39fA*;ZYB)(ZH@{t&qCj&!DW@36#V(w&vd=(=XcQ?1vs;bl?T~kXFa|;to
zLo-7|b4x>GGrh9n6ix;P51<MikAPq|RR#v<#60zq$$yh&SQKm&3^xDC-^4Gs0%&_@
z8w10~DGUrh7cnp_+`zz4yN7{6^ArQa^|O=rUklhQ(@-tIxMK5+345J&IhX_(mIAe~
zGpI6x9PYr#&j1ozhDB`oX16QH8SDQ7eFxIw#E=Zs0^u<Nc|1Td2#*QKO99F;GO+<w
zG6Q)KaTXv8=rkygmBE)G6|Ra6stRN=!sKNPAd`!sdX_N&O|EA!1#&?~FM}Jsi~(eH
zEYvy67(hnHL5*I<05f_yiqXr#Msq-oUJf#vffcG}Io#ysV3T2vUJf)_5#j3PV56@y
zh%lr9BesVjfFTM5Crezj<C_mO5a>*X`9R3TG`aP&>g3LADnd8TGcf$P!N5@Pkbz;x
VOQ4F^oA+OHl${*VXt3xD3ji~4o4No1

delta 238
zcmV<K01^Ly^aFtK1F!@F33&hj0RI2~|9Z0x0@DGL<O3X$U<8r`Yy~jZ1VX5jaRi3~
zs_C=(1jYjifO)q;sLI&^1CzmlH?j$cFBpz>000003IIiTV`Xr3X>V?Gg#Zu$iOiFr
zI93JN0{{SHv->z5AOhkRvl?0A7PEYCvJW1m00009h5!I@lmGyEq5uFPumAx4y8r;G
z$p8Qi%#)AUP_vwXdk_Jovlx-RL$eXpxB&~-01f~g0ssI|08o?Y*FFoQ000000097_
o0Hc#q^(d2B*d!7N&Hw-?*8l*Z-v9vU=KugO>9dd6K^>y@1pdlZrT_o{